Microsoft disrupts servers used by feared Zeus bank Trojan

In the most significant cybercrime bust of the year so far, Microsoft and US banking organisations say they have disrupted a number of the most active botnets that have been attacking online banking customers across the world with impunity using the Zeus crimeware.

In the most significant cybercrime bust of the year so far, Microsoft and US banking organisations say they have disrupted a number of the most active botnets that have been attacking online banking customers across the world with impunity using the Zeus crimeware.

On 19 March, the company filed a court action using the US Racketeer Influenced and Corrupt Organizations (RICO) Act alleging that 39 individuals - “John Does 1-39” - were responsible for Zeus-based botnets that had stolen an alleged $100 million (£63 million) over the past five years by after infecting 13 million PCs.

By 23 March, the company’s Digital Crimes Unit, the Information Sharing and Analysis Center (FS-ISAC) and the Electronic Payments Association NACHA, launched ‘Operation b71’, physically seizing hosted servers allegedly used as command and control for the bots, gathering further evidence against the accused.

“We don’t expect this action to have wiped out every Zeus botnet operating in the world. However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time,” said Microsoft in an official statement.

In addition to Zeus, botnets built using the related SpyEye and Ice-IX variants were also disrupted, Microsoft said.

The action is only the latest in a long line stretching back years that have seen Microsoft and its Digital Crimes Unit become perhaps the most successful anti-cybercrime organisation on the planet, harnessing local laws, trade bodies and the security industry itself to counter a digital crimewave.

The most action significant in recent times was against the infrastructure behind the Rustock botnet in March 2011, which immediately cut global spam levels. In addition to similar campaigns against Waledec and last summer’s anti-Kelihos operation, this has helped reduce the volume of spam circulating on the Internet almost back to levels last seen some years ago.

What of Zeus and why has it become so significant? The simplest answer to this is probably that it is the first banking malware to be turned into what is termed 'crimeware', that is a featured crime platform sold to criminals across the world. That has fuelled its popularity and success.

Any action that removes some of the infrastructure will have a short-term impact on its activity but the biggest blow is simply that someone, anyone, has done something. Crybercriminals profiting from effective but common malware such as Zeus have acted in the knowledge that they will probably get away with their crimes. As of today, that assumption might not be as secure.